I could rebuild my cluster from backup before the upgrade to CentOS Stream.
So I'll be able to work from there.
On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote:
> Hello,
>
> I'm on freeipa 4.9.0 on CentOS Stream. (1 master and 1 replica)
> I have noticed that my replication is broken. Unfortunatly, I don't know
> since when...
>
> First Question, can it b fixed?
> Second question, is it possible to peform a restore (on one node, both nodes)
> to fix the issue.
> I recently upgraded from CentOS 8 to CentOS Stream (ipa with it). So can I
> restore from a previous version?
>
>
> Here are some snipets of what I see.
> $ sudo ipa-healthcheck
> Internal server error HTTPSConnectionPool(host='ipa-master-tmp.empire.lan',
> port=443): Max retries exceeded with url:
> /ca/rest/certs/search?size=3 (Caused by
> NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at
> 0x7fa49f3df320>: Failed
> to
> establish a new connection: [Errno -2] Name or service not known',))
> [
> {
> "source": "pki.server.healthcheck.clones.connectivity_and_data",
> "check": "ClonesConnectivyAndDataCheck",
> "result": "ERROR",
> "uuid": "66815b82-56d9-43a4-9035-78333c5cb5cd",
> "when": "20210308162643Z",
> "duration": "0.364202",
> "kw": {
> "status": "ERROR: pki-tomcat : Internal error testing CA clone. Host:
> ipa-master-tmp.empire.lan Port: 443"
> }
> },
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "WARNING",
> "uuid": "55addd45-6440-4317-8d0b-8eb0d516bd4e",
> "when": "20210308162645Z",
> "duration": "0.353734",
> "kw": {
> "key": "DSREPLLE0002",
> "items": [
> "Replication",
> "Conflict Entries"
> ],
> "msg": "There were 6 conflict entries found under the replication
> suffix \"dc=empire,dc=lan\"."
> }
> }
> ]
>
> pki-tomcatd seems ok :
> $ sudo journalctl -u pki-tomcatd@pki-tomcat
> -- Logs begin at Mon 2021-03-08 17:24:39 CET, end at Mon 2021-03-08 17:35:01
> CET. --
> Mar 08 17:25:01 ipa-master.empire.lan systemd[1]: Starting PKI Tomcat Server
> pki-tomcat...
> Mar 08 17:25:04 ipa-master.empire.lan java[1613]: usr/lib/api/apiutil.c Could
> not open /run/lock/opencryptoki/LCK..APIlock
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: Java virtual machine
> used: /usr/lib/jvm/java-1.8.0-openjdk/bin/java
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: classpath used:
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-
> juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-la>
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: main class used:
> org.apache.catalina.startup.Bootstrap
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: flags used:
> -Dcom.redhat.fips=false
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: options used:
> -Dcatalina.base=/var/lib/pki/pki-tomcat -
> Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/>
> Mar 08 17:25:05 ipa-master.empire.lan server[1716]: arguments used: start
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]: pki.client:
> /usr/libexec/ipa/ipa-pki-wait-running:63: The subsystem in
> PKIConnection.__init__() has been deprecated (https>
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Created connection
> http://ipa-master.empire.lan:8080/ca
> Mar 08 17:25:05 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Max retries exceeded>
> Mar 08 17:25:06 ipa-master.empire.lan java[1716]: usr/lib/api/apiutil.c Could
> not open /run/lock/opencryptoki/LCK..APIlock
> Mar 08 17:25:06 ipa-master.empire.lan server[1716]: WARNING: Some of the
> specified [protocols] are not supported by the SSL engine and
> have
> been skipped: [[TLSv1, TLSv1.1]]
> Mar 08 17:25:07 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:09 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:11 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='ipa-
> master.empire.lan', port=8080): Read timed out. (rea>
> Mar 08 17:25:12 ipa-master.empire.lan ipa-pki-wait-running[1717]:
> ipa-pki-wait-running: Success, subsystem ca is running!
> Mar 08 17:25:12 ipa-master.empire.lan systemd[1]: Started PKI Tomcat Server
> pki-tomcat.
>
> Best
> Antoine
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
